ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2976/java/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

75 lines
2.2 KiB
Plaintext
Raw Blame History

== Why is this an issue?
Using ``++File.createTempFile++`` as the first step in creating a temporary directory causes a race condition and is inherently unreliable and insecure. Instead, ``++Files.createTempDirectory++`` (Java 7+) or a library function such as Guava's similarly-named ``++Files.createTempDir++`` should be used.
This rule raises an issue when the following steps are taken in immediate sequence:
* call to ``++File.createTempFile++``
* delete resulting file
* call ``++mkdir++`` on the File object
*Note* that this rule is automatically disabled when the project's ``++sonar.java.source++`` is lower than ``++7++``.
=== Noncompliant code example
[source,java]
----
File tempDir;
tempDir = File.createTempFile("", ".");
tempDir.delete();
tempDir.mkdir(); // Noncompliant
----
=== Compliant solution
[source,java]
----
Path tempPath = Files.createTempDirectory("");
File tempDir = tempPath.toFile();
----
== Resources
* OWASP - https://owasp.org/www-project-top-ten/2017/A9_2017-Using_Components_with_Known_Vulnerabilities[Top 10 2017 Category A9 - Using Components with Known Vulnerabilities]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Use "Files.createTempDirectory" or a library function to create this directory instead.
'''
== Comments And Links
(visible only on this page)
=== on 26 May 2015, 12:01:03 Ann Campbell wrote:
http://nemo.sonarqube.org/coding_rules#rule_key=grvy%3Aorg.codenarc.rule.security.FileCreateTempFileRule
=== on 29 May 2015, 06:44:07 Nicolas Peru wrote:
Spec looks good.
\[~ann.campbell.2] I am wondering about the targeted language Groovy : rule is covered by codenarc and AFAIK we don't have any intention to develop our own groovy analyzer. So should it be covered instead of targeted for groovy ?
=== on 29 May 2015, 14:47:00 Ann Campbell wrote:
I wouldn't mark it covered based on a 3rd-party tool. I set it to targeted in case we ever do decide to write our own Groovy rules.
=== on 1 Jun 2015, 15:07:21 Nicolas Peru wrote:
Ok !
=== on 19 Aug 2019, 11:04:23 Pierre-Loup Tristant wrote:
https://guava.dev/releases/19.0/api/docs/com/google/common/io/Files.html#createTempDir()
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink